Please help with elapsed plugin and timestap difference

Elastic Stack Elasticsearch
1

Hello everyone and thanks for this great Forum!

I would need a hand with elastic, I have to make a difference between 2 timestamps that have the logonid in common, but different event.action.
unfortunately I don't even know where to start, in ELK I'm following some trainings right now.
To recap what I am trying to do: I am trying to get the difference between 2 timestamps for windows logon and logoff.
I am using winlog.event_data.TargetLogonId to track the session,
event.action tell me if it a logon or a logoff.
and winlog.event_data.TargetUserName.keyword tell me the username.
this is a script I found online and readjusted using the plugin elapsed:

    if [event.action] == "logon" {
    mutate { add_tag => ["taskStarted"] }
    } else if [event.action] == "logoff" {
    mutate { add_tag => ["taskTerminated"] }
    }
    elapsed {
    start_tag => "taskStarted"
    end_tag => "taskTerminated"
    unique_id_field => "winlog.event_data.TargetLogonId"
    timeout => 10000
    new_event_on_match => false
    add_field => "winlog.event_data.EventDuration"
    }

can you please help me?
the result is to have the duration of a login session.

thanks to everyone will help me

2

Doing this kind of processing in Logstash introduces a series of severe limitations in that all data had to pass through the same Logstash instance, be processed by a single thread assuming Logstash does not restart and lose state. This may work for very small use cases but scale badly.

I would therefore recommend you look at the transform API and try to use this to create a new index containing a single entity-centric document per session which you can update as data comes into Elasticsearch. With this solution you do not need to throttle your ingest processing and are likely to see much better performance.

3

Hi Christian,

Thanks for your reply and help.
do you have a tutorial that can help me on it?

thanks
Fabrizio

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.